Spell updated with Cordova 3.5.1 security fix

It doesn’t happen really often to receive emails from Google, and usually when it happens it’s bad news (like spiders not crawling, terms&conditions updates a la Orwell etc), and also today they met my expectations with this message :

This is a notification that your it.simonerescio.spell, is built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.

this one updates the phonegap version used during the build process of all projects, but it’s not enough we also need to update the phonegap libraries in every single project so that the cordova.js file gets bumped to version 3.5.1 with the Android security fix.

Navigate in terminal to the directory of your phonegap project and run the following :

Shell

1

phonegap platform update android

If you did follow the command line installation guide for PhoneGap cli everything will go smoothly, otherwise you will run in a series of errors due to missing software and configurations, this is how I solved step by step with StackOverflow answers and Official Doc help.

Missing apache ant

The first error I encountered is missing ant software for building from command line :

Missing Android environment variable

If you haven’t already configured the environment variable to your AndroidSDK installation, trying to re execute the update command will result in the following error :

Shell

1

Error:The command"android"failed.Makesure you have the latest Android SDK installed,andthe"android"command(inside the tools/folder)isadded toyour path.

to solve this issue you can follow the official guide, making a bash profile file that includes our variable each time the teminal app is opened, by running the following :

Shell

1

touch~/.bash_profile;open~/.bash_profile

A TextEditor window will open with the file we just created, now past the path to your AndroidSDK platform-tools and tools directories, like in the following example that should be changed accordingly to the location of the SDK on your computer:

Save changes and run the following command to apply the path to the current session :

Shell

1

source~/.bash_profile

Notice that this fix assumes you are using the bash shell, if you are using any alternative like zsh the issue will still persist, you can switch temporarily to bash shell if you digit bash in the terminal window and hit enter, to get back to zsh or whatever other shell you’re using once finished digit exit, switching shells doesn’t change the current working directory, you can verify with pwd.

If everything went as planned inspecting the file at the following path :

1

yourProjectDir/platforms/android/platform_www/cordova.js

You will find this value :

1

varCORDOVA_JS_BUILD_LABEL='3.5.1';

Update 16/04/2015

The values needed in the .bash_profile file described above from the official guide are not valid for Phonegap version 4.x, the new values needed to accomplish the updated operation, quoting stackoverflow, are the following :

Shell

1

2

export ANDROID_HOME=/<installation location>/android-sdk-macosx

export PATH=${PATH}:$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools

Spell version 1.0.1

After these changes I uploaded the new APK on the playstore, I’ve included also a small fix for the “Q” letter that was sharing the same description for both upper and lower cases in italian, “Quadro”/”quadro”, now the uppercase is identified with a place name which is “Québec”.

2 thoughts on “Spell updated with Cordova 3.5.1 security fix”

Using Cordova 5.3.3 cli for Android but unable to upload apk on Google Play Store?Is that problem due to cordova plugin whitelist. because i have deleted my platforms and all plugins than again created the whole project. The alert which i am getting on my Developer account is: REASON FOR WARNING: Violation of the dangerous products provision of the Content Policy and sections 4.4 of the Developer Distribution Agreement. The vulnerabilities include a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, susceptible apps could be remotely exploited to steal sensitive information, such as user login credentials.